I have been using the “Dark Mode” addon on various devices without realizing that it’s a clone of the “Dark Reader” extension. Today I logged in to some blindingly white websites and my addon page saying that the Dark Mode extension was disabled and being called Malware in this page:
https://blocked.cdn.mozilla.net/59f951ab-6183-4ae8-9ed0-99b667fa2a86.html
Now I’m sat here wondering: Is that it? With the permissions this addon had it could create a perfect usage profile of myself, read every post I ever made on any website or forum, read out all my login data, my bank data, my personal info - and all Mozilla does is stealthily disable it and be done?
I mean, I don’t know if it actually did any of that. The ticket just says “obfuscated code” but it doesn’t say what this obfuscated code actually does. The addon page got removed so I or anyone else couldn’t try and look at the code by ourselves. I’m basically just sat here wondering if I should change all my passwords ASAP and close down my social media accounts in fear of doxxing, or whatever else would be an appropriate reaction.
Can anyone please clarify? Why is there no advisory on something that could be potentially catastrophic for an affected individual?
I think that’s the wrong block. Check out this thread on Reddit:
I haven’t looked at what the remote scripts do. Maybe you (or someone else) have a copy of the extension and can analyze it in more detail.
Meanwhile, it wouldn’t be a bad idea to change your most important logins.
I got duped by this as well, and I’m worried about the extent of the damage. I grabbed a copy of the disabled extension and stashed it at https://wow.blep.wtf/BluB5yA4 in case anybody would care to inspect it. A quick diff shows wide-ranging changes between the malicious dupe and the recent version of the official addon—in particular, a number of new scripts in background, an entirely new bundle of content scripts, and additional permissions (webrequest, webrequestBlocking, contextMenus, and activeTab).
All the new permissions sound like they could easily be put to ill use. And most of the new code is junk that never gets executed, which is worrisome. But I haven’t been able to dig an attack vector out of the obfuscatory trash.
Maybe someone from Mozilla could add a little context here? Or maybe someone with a sharper eye will find the haystack’s needle.
I can’t even download that file, there’s no download link even in the html code.
Could you please share the archive where it doesn’t require authentication?
Oops! Forgive me, I didn’t realize CloudApp wasn’t showing public download links. Try this guy, from Dropbox: https://www.dropbox.com/s/7u0lxjc3310wl4c/Dark%20Mode%20-%202019-12-18%20(v2.0.2).xpi?dl=0
Here’s the analysis of the same code in another addon (yes, not only dark mode addon was disabled, i had insta downloader that got the same script)
https://github.com/rainyrainyday/HomebrewOverlay